CSCC Technical White Paper Final v6 July 17 2017

IndustryTechnicalWhitePaper

ABSTRACTOnMay11,2017PresidentTrumpsignedExecutive

Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,tasking

theDepartmentofCommerceandtheDepartmentof

HomelandSecuritytoleadanopenandtransparent

processtoidentifywaystoimprovetheresilienceoftheinternetandcommunicationsecosystemand

reducethethreatsperpetuatedbybotnets,

particularlydistributeddenialofserviceattacks.In

thistechnicalwhitepaper,thecommunicationssectordescribesthebotnetproblemfromtheperspectiveof

internetserviceproviders(ISPs),identifiessome

challengesandopportunities,andthenproposes

severalpreliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,

shouldconsidertomitigatethethreatsassociated

withbotnetsandautomatedattacks.

CommunicationsSectorCoordinatingCouncil

July17,2017

CommunicationsSectorCoordinatingCouncil|www.comms-scc.org

TableofContents

ExecutiveSummary.....................................................................................................1

InternetEcosystemandCommunicationsSector.........................................................3

Bots,BotnetsandAssociatedThreats..........................................................................7

CurrentToolsandTechniques...................................................................................14

EmergingSolutions....................................................................................................18

ChallengesandOpportunities...................................................................................21

IndustryRecommendations.......................................................................................29

Conclusion.................................................................................................................31

AppendixA-CyberThreatReports...............................................................................i

AppendixB–ThreatsfromBotnets............................................................................iv

Glossary.....................................................................................................................vi


1

ExecutiveSummary

Abotisacodeusedtoseizecontroloveracomputeroradevicetoformanetworkofinfectedmachines,knownasabotnet.Manybotnetsareself-spreadingandself-organizingnetworksof

compromisedmachinesthatcanbeusedtoperformmaliciousactivitiesinacoordinatedway

throughcommandandcontrol(C&C)channels.Whilebotsarenotnew,thegrowing

deploymentofInternetofThings(IoT)devicesamplifiestheircapabilitytocreatealarge-scaleglobalsecuritythreat.

Inrecognitionofthisgrowingglobalthreat,onMay11,2017,PresidentTrumpsignedExecutive

Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,1taskingtheDepartmentofCommerce(DoC)andtheDepartmentofHomelandSecurity(DHS)to

leadanopenandtransparentprocesstoidentifywaystoimprovetheresilienceoftheinternet

andcommunicationsecosystemandreducethethreatsperpetuatedbybotsandbotnets.

Inthistechnicalwhitepaper,thecommunicationssector,specificallyinternetserviceproviders(ISPs)inthiscontext,seekstoinformthatprocessbydescribingthesharedresponsibilitiesof

keyparticipantsintheinternetecosystemformitigatingthethreatsposedbybotnets.Itisa

fallacytobelievethatanysinglecomponentoftheinternetecosystemhastheabilitytomitigate

thethreatfrombotnetsandotherautomatedsystems.WhileISPs,asinfrastructureownersandoperators,playanimportantroleinthisecosystem,sodothemanufacturersofdevices,

developersofsoftware,systemintegrators,edgeproviders,cloudserviceproviders,andothers.

Itwilltaketheconcertedeffortofallmembersofthisecosystemtoaddressfullythethreats

frombotsandbotnets.

Theinternetecosystemhasbeenworkingcollaborativelytoneutralizethethreatsfrombotsand

botnetsforyears.Inthispaper,theCommunicationsSectorCoordinatingCouncil(CSCC)

identifiesanumberofchallengesofmitigatingbotnets,andopportunitiesforincreasedcollaborationandcooperationamongmembersoftheinternetecosystemtoaddressthe

problemincluding:

• Improvingtheefficiencyoflawenforcementprocesstotakedownbotnets;

1TheWhiteHouseOfficeofthePressSecretary,PresidentialExecutiveOrderonStrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure(May11,2017),availableathttps://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.


2

• Sharingofactionablecyberthreatinformation;

• Reducingthedependencyupontheuseofnetworkaddresstranslation(NAT)functions;

• Mitigatingbotnettrafficfromforeigncountries;

• Managingend-usernotificationsofmalwareinfections;

• DefendingagainstunsecuredIoTdevices;

• Combattingtheuseoffastfluxdomainnameserver(DNS)bybotnetstohidetheirinfrastructure;and

• Coordinatingnetwork-to-networknetworkmanagement.

AspartofDoCandDHS’sopenandtransparentprocess,theCSCCalsoproposesthefollowing

preliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,

shouldconsidertomitigatethethreatsassociatedwithbots,botnets,andautomatedattacks:

• Streamlinethelawenforcementprocesstotakedownbotnets;

• EncouragecontinuedmigrationtoIPv6;

• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeetrecipients’needs;

• Networkoperatorsandend-usersshouldincludepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements;

• EncouragetheInternetCorporationforAssignedNamesandNumbers(ICANN),

registries,andregistrarstoadoptthefastfluxmitigationtechniquesrecommendedbytheSecurityandStabilityAdvisoryCommittee(SSAC);

• Improvebotnetdetectionbyencouragingtheadoptionanduseofmachinelearningtechniques;

• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards;

• Ensureend-pointsarerunningup-to-datesoftware;and

• IoTdevicesshouldusenetworkisolationand/ornetworkbasedfilteringtechniquesforanycommunicationstocloud-basedservices.


3

InternetEcosystemandCommunicationsSector

Theecosystemsupportingtheinternet,includingthemembersofthecommunicationssector

providinginternetaccessservicesiscomplex,diverse,andinter-dependent.Tofullyunderstandthethreatsthatbotnetspose,itisimportanttounderstandtheecosystemandstakeholders’

relationships.Thissectionprovidesasummaryoftheinternetecosystemandexplainshowthe

communicationssectorfitsintothebroaderinternetecosysteminprotectingcriticalinfrastructurefromthreatsfrombotsandbotnets.

InternetEcosystem

Theinternetecosystemisadiverse,highlyintegratedsystemcomprisedofmanystakeholders.

TheInternetSociety(ISOC)describesthebroadinternetecosystemasbeingmadeupofsixprimarycommunitiesasshownbelow.2

2InternetSociety,WhoMakestheInternetWork:TheInternetEcosystem(Feb.3,2014),availableathttp://www.internetsociety.org/who-makes-internet-work-internet-ecosystem(accessedJuly16,2017).


4

Figure1InternetEcosystem

Source:InternetSociety

Thenetworkoperators,whicharepartofthecommunicationssector,providethe“SharedGlobalServicesandOperations”showninFigure1.Whenviewedsolelyfromthenetwork

perspective,theinternetecosystemlooksmorelikeFigure2.


5

Figure2NetworkViewofInternetEcosystem

Inthiscontext,theinternetecosystemiscomprisedofmanymachines/devices(e.g.,

smartphones,desktopcomputers,IoTdevices,etc.)thatconnecttonetworkserviceproviders.

Thenetworkserviceprovidersuseacombinationoftransitandpeering3toprovideinternetconnectivitytoservicecreators(e.g.,hosting,ecommerce,socialmedia,enterprises,etc.).

Manyoftheservicecreatorsarecloud-based,meaningthattheyoperateanetworkofmachines

workingtogethertoprovideaservice.Allofthepartsworktogethertoprovidewhatiscommonlyreferredtoastheinternet.

CommunicationsSector

Ownersandoperatorsofcommunicationsinfrastructure(broadcast,cable,satellite,wireless,

andwireline)comprisethecommunicationssector.Thecommunicationssectorisoneofthe16CriticalInfrastructure/KeyResource(CI/KR)sectorsidentifiedintheDHSNationalInfrastructure

ProtectionPlan(NIPP).Thissectorincludesthenetworkoperatorsthatprovideinternetaccess

services.Aspartofapublic/privatepartnershipwithDHS,thecommunicationssectorutilizes

theCommunicationsSectorCoordinationCouncil(CSCC)andtheCommunicationsInformation

3Note:ThereisaglossaryinAppendixBthatprovidesmoreinformationonthetechnicaltermsusedinthisdocument.


6

SharingandAnalysisCenter(Comm-ISAC)tohelpsecurethecommunicationsnetworksCI/KR

fromharm.

Thecommunicationssectorhasalonghistoryofcooperationwithinitsmembershipandwithfederalgovernmentwithrespecttonationalsecurityandemergencypreparedness.Thishistory

distinguishesthecommunicationssectorfrommostothercriticalsectorsidentifiedinthe

NationalInfrastructureProtectionPlan(NIPP).Thesectorexemplifiescooperationandtrusted

relationshipsthathaveresultedinthedeliveryofcriticalserviceswhenemergenciesanddisastersoccur.Thisstrongbondexistslargelybecauseofthreeorganizationsthathavebeen

createdinresponsetoearlierthreatstothenation’scriticalinfrastructure.

Policy-TheNationalSecurityTelecommunicationsAdvisoryCommittee(NSTAC).The

NSTAC(wwwncs.gov/nstac/nstachtml)wascreatedin1982byExecutiveOrder12382.It

providesahighlysuccessfulexampleofhowindustryhelpsdirectgovernmentdecisionsaround

nationalsecurityandemergencypreparednesscommunications(NS/EP).NSTACiscomprisedofupto30chiefexecutivesfrommajortelecommunicationscompanies,networkservice

providers,andinformationtechnology,finance,andaerospacecompanies.Througha

deliberativeprocess,theyprovidethePresidentwithrecommendationsintendedtoassurevital

telecommunicationslinksthroughanyeventorcrisis,andtohelptheU.S.Governmentmaintainareliable,secure,andresilientnationalcommunicationsposture.KeyareasofNSTACfocus

include:strengtheningnationalsecurity;enhancingcybersecurity;maintainingtheglobal

communicationsinfrastructure;assuringcommunicationsfordisasterresponse;andaddressing

criticalinfrastructureinterdependencies.

Planning-CommunicationsSectorCoordinatingCouncil(CSCC).TheCSCCwascharteredin

2005inorderto:helpcoordinateinitiativestoimprovethephysicalandcybersecurityofsectorassets;easetheflowofinformationwithinthesector,acrosssectorsandwithdesignated

Federalagencies;andaddressissuesrelatedtoresponseandrecoveryfollowinganincidentor

event.Themorethan40membersoftheCSCCbroadlyrepresentthesectorandincludecable

providers,commercialandpublicbroadcasters,informationserviceproviders,satelliteproviders,underseacableproviders,utilitytelecomproviders,serviceintegrators,equipment

vendors,andwirelessandwirelineownersandoperatorsandtheirrespectivetrade

associations.

Operations-NationalCoordinatingCenterforTelecommunications(NCC)


7

CommunicationsInformationSharingandAnalysisCenter(Comm-ISAC).In1982,federal

governmentandtelecommunicationsindustryofficialsidentifiedtheneedforajointmechanism

tocoordinatetheinitiationandrestorationofnationalsecurityandemergencypreparednesstelecommunicationsservices.In1984,ExecutiveOrder12472createdtheNCC.This

organization’suniquepartnershipbetweenindustryandgovernmentadvancescollaborationon

operationalissuesona24X7basisandcoordinatesNS/EPresponsesintimesofcrisis.Since

2000,theNCC’sCommunicationsInformationSharingandAnalysisCenter(Comm-ISAC),comprisedof51industrymembercompanies,hasfacilitatedtheexchangeofinformation

amonggovernmentandindustryparticipantsregardingvulnerabilities,threats,intrusions,and

anomaliesaffectingthetelecommunicationsinfrastructure.Industryandgovernmentrepresentativesmeetweeklytosharethreatandincidentinformation.Duringemergencies,

industryandgovernmentrepresentativesinvolvedwiththeresponseeffortsmeetdaily,oreven

morefrequently.

Bots,Botnets,andAssociatedThreatsBot–aprogramthatisinstalledonasysteminordertoenablethatsystemto

automatically(orsemi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).4

Botnet–anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbot

malwareandareremotelycontrolledbythirdpartiesfornefariouspurposes.5

Botsarenotanewphenomenon.Itisimportanttonotethatnotallbotsarebad,andnotallbotnetsareusedfornefariouspurposes.Therearesomegoodbotsinenvironmentslike

gamingandInternetRelayChat(IRC).However,forthepurposesofthispaper,allmentionsof

botsandbotnetswillassumetheyaremaliciousorpotentiallymaliciousinnature.

A“botnet”isanetworkofbotsworkingtogetherwiththecapabilityofactingoninstructions

generatedremotely.Atypicalbotnetmayrangefromafewthousandbotstohundredsof

4FederalCommunicationsCommission(FCC),CommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)III,U.S.Anti-BotCodeofConduct(ABCs)forInternetServiceProviders,(Mar.2012),availableathttps://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG7-Final-ReportFinal.pdf(accessedJune20,2017).5Id.


8

thousandsorevenmillionsofbots.Botsandbotnetsarehighlycustomizableandcanbe

programmedtodomanythings,including:theftofpersonalandothersensitiveinformation,

spam,emailaddressharvesting,distributeddenialofservice(DDoS)attacks,key-logging,hostingillegalcontent,andclickfraud.Thesetypesofcyber-attacksaredescribedingreater

detaillaterinthispaper.

EarlybotsusedIRCtocommunicatetotheirC&Cservers.Overtime,botsandbotnetshave

grownmoresophisticated.Forinstance,botsandbotnetshavebeenmademoreresilientbyincorporatingpeer-to-peer(P2P)architecturesandprotocols;domainnamegenerating

algorithms;hypertexttransferprotocol(HTTP)tospecificuniformresourcelocators(URL)within

legitimatewebsites;sophisticated,hierarchicalC&Cinfrastructures;andencryption.Eachoftheseimprovementshasmadeitmoredifficulttoidentifyandisolatebadtrafficfromlegitimate

networktraffic.

Historically,botsinfecteddesktopcomputersandservers,resultingineventualdetectionand

removalusingantivirussoftware.Incontrast,IoTdevicesoftendonothaveauserinterface(UI);aredesignedtorunautonomously;andareconnectedeitherdirectlyorindirectlytothe

internet.Thesedevicesdonotlendthemselveswelltosometraditionalsecurityprotections.

Theymayconnecttotheinternetwithoutafirewallandareusuallyplacedonthesamelocal

areanetwork(LAN)segmentasotherhighervaluetargets.Theyareunlikelytorunanti-virussoftware.Inaddition,theymaybeconsideredalowsecurityrisksincetheyarelowcostand

onlyprocessseeminglyinnocuousdata.However,IoTdevicesareactuallyenticingtargetsfor

exploitation,asthedevicesprovidecomputingpowerthatcanbeutilizedbybadactors,

typicallyunnoticedbytheowners,andareoften“installandforget”equipment.

LargenetworksofIoTdevicescanbecomecompromisedbybotswhenconnectedtohigh-speed

internetconnections,whichcancausesignificantdamage.TheOctober2016MiraibotnetDDoS

attackagainstDNSproviderDynisoneofthemorerecentexamples.TheMiraibotnetexploitedweaksecurityinmanyIoTdevicesbycontinuouslyscanningtheinternet,lookingformoreIoT

devicesthatwereprotectedbyfactorydefaultorhardcodedusernamesandpasswords.6As

theMiraibotnetdiscoveredvulnerableIoTdevices,itloadeditsmalwareontothedevicesand

begancommunicatingwiththeC&Cserversawaitinginstructions.TheMiraibotnetthenwas

6SymantecSecurityResponse,Mirai:whatyouneedtoknowaboutthebotnetbehindrecentmajorDDoSattacks,SymantecOfficialBlog(Oct.27,2016),availableathttps://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks(accessedJune20,2017).


9

usedtolaunchalarge-scaleDDoSattackagainstDynbyinstructingeachinfecteddevicetoflood

theDynDNSserverswithahigh-volumeofpacketsusingtheDNSservicedestinationport(user

datagramprotocol(UDP)port53)aswellasfloodingauthoritativeserverswithnumerousrequestsforinvaliddomainnames.7TheattackpreventedanumberofDyn’scustomersfrom

beingabletoaccessdomainnamesservedbyDynDNSduringtheattack.

TheDynattackwasnotanisolatedincident.Thepeakattacksizeincreaseddramaticallyina

shortperiodoftime,risingfrom500Gbpsin2015to800Gbpsin2016.8TheKrebsonSecuritysitewasalsohitbyanattackinSeptember2016,whichreached620Gbps.Infact,theMirai

botnetandotherIoTbotnetswereinexistenceforsometimepriortotheseattacksand

generallyusedforperformingsmallerDDoSattacks.

BotnetThreats

Asdescribedabove,botsandbotnetsarehighlycustomizable,andasaresult,canbe

programmedtodomanybeneficialthingsontheinternet.However,theyareoftenand

increasingly,usedfornefariousactivitiessuchasthetypesofattackslistedbelow.

• DDoSattacks;

• Datatheft;

• Illicitcontentdistribution;

• Bruteforcepasswordguessing;

• Processingtheft;

• Clickfraud;

• Emailspam;and

• Unauthorizedgateway.

Theremainderofthissection,however,willfocusonDDoSattacks.DescriptionsoftheothertypesofattackslistedabovecanbefoundinAppendixB.

7ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017).8ArborNetworks,12thAnnualWorldwideInfrastructureSecurityReport,ArborNetworksSpecialReportVol.XII(2016),atp.21,availableathttps://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf(accessedJune30,2017).


10

DDoSattacks–ahighlyaprevalentformofattackperpetratedbybotnets–illustratesomeof

themanychallengesofpreventingattacks,aswellasofpreventingbotsfromcompromising

end-points.

DDoSattackscanbebrokenintofourmaincategories:9

• Volumetric;

• Application/resource;

• Stateexhaustion;and

• Controlplane.

VolumetricDDoSattacksconsistofhundredstohundredsofthousandsofbotsfloodingthevictimwithpackets,resultingindenialoftheservicetoothers.Theattackscanbedirect,where

thebotssendthepacketsaddresseddirectlytothevictimeitherwiththeirownsourceIP

addressoraspoofedsourceIPaddress.Indirectattacksleverageatechniqueknownasa

reflectiveamplificationattack,inwhichbotsspoofthesourceIPaddresstobethatoftheintendedattacktarget.10ThebotsthensendrequestpacketstootherservicessuchasDNS,

CharacterGeneratorProtocol(chargen),orSimpleServiceDiscoveryProtocol(SSDP)totrickthe

servicestosendresponsestowardthevictim.Indirectorreflectionattacksareoftencraftedto

causetheservicetosendaresponsethatismuchlargerthanthebot’sinitialrequest,resultinginanamplificationattack.Insomecircumstances,theamplificationscanbethousandsoftimes

greaterthanthebots’initialrequestpackets.

Applicationattackstendtobelowervolumetrafficattacksthanvolumetricattacks.Theyare

characterizedbybotssendinglegitimate-lookingapplication-levelrequeststoasystemtoconsumeresources(e.g.,CPU,diskaccess,databaselookups,etc.)andoverwhelmthesystem,

therebypreventingothersfromaccessingit.

Stateexhaustionattacksleveragethefactthatdeviceslikeservers,firewalls,andintrusiondetectionsystemshavelimitedcapabilitiestotrackthestateofconcurrenttransactions.The

9FCCCSRICIV,RemediationofServer-BasedDDoSAttacksFinalReport,(Sept.2014),availableathttps://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf(accessedJune20,2017). 10Messaging,MalwareandMobileAnti-AbuseWorkingGroup,M3AAWGIntroductiontoReflectiveDDoSAttacks(May2017),availableathttps://www.m3aawg.org/sites/default/files/m3aawg-reflective-ddos-attack-intro.pdf(accessedJune20,2017).


11

botsleveragethislimitationandconsumeallthestatecapabilitiesbyopeningmanyconnections

andnotfullycontinuingthoseconnectionstocompletion.

ControlplaneattacksleveragethelimitationsoftheinternetprotocolssuchastheBorderGatewayProtocol11(BGP),IPv6,12andDNSprotocol.13

AchallengewithalltypesofDDoSattacks--especiallyforISPs--isidentifyingthem.Cyber

criminalsarerapidlydevisingmoresophisticatedbotnets,makingithardertodistinguishbad

trafficfromgoodtraffic.Theearliestformsofbotsoftentransmittedtheirmessagesinclear-text,onwell-knownports,tohard-codedIPaddresses,therebymakingthetrafficbotheasyto

identifyandtoblock.Increasinglybotsmasqueradetheirtrafficasapplication--leveltraffic(e.g.,

theymakeitlooklikeregularwebtrafficorencryptedwebtraffic,usepeer-to-peertechniquestoavoidasinglepointoffailure,oruseVPNstoencryptandtunneltheirtraffictoevade

detection).

TheMiraibotnetattackalsoleveragedthefactthattherearemillionsofIoTdevicesalloverthe

globe,andtheattacktrafficwasgeneratedfromthefarcornersoftheinternet,sourcedatthevictims’locations.Level3ThreatResearchLabsreportedthatitobservedoveramillionIoT

devicesparticipatinginbotnetattacks,andalargepercentagewerelocatedinTaiwan,Brazil,

andColumbia.14ThechallengeforanISPindetectingandblockingthistrafficisthatitdoesnot

originateontheISP’snetworkandmayonlytransitaportionofthenetwork,ifittransitsitatall.Andeveniftherearebotsonthenetworkoriginatingtraffic,thevolumeoftrafficfromthe

botsmaynotbehighenoughtodetectonthenetwork.

Botnetattacktrafficmaylookentirelynormal.Muchofitisreflectiveamplifiedattacks(which

offerthebestbangforthebuck),frequentlyusingwellknowncommonservicessuchasDNS,networktimeprotocol(NTP),andHTTP.

11K.Butler,etal,ASurveyofBGPSecurityIssuesandSolutions,ProceedingsoftheIEEE98,no.1(Jan.2010),atp.100-122(doi:10.1109/jproc.2009.2034031). 12Cisco,IPv6ExtensionHeadersReviewandConsiderations[IPVersion6(IPv6)],(Oct.10,2006),availableathttp://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html(accessedJune30,2017). 13SuranjithAriyapperuma,andChrisMitchell,SecurityvulnerabilitiesinDNSandDNSSec,ProceedingsofProceedingsofTheSecondInternationalConferenceonAvailability,ReliabilityandSecurity,ARES2007,TheInternationalDependabilityConference-BridgingTheoryandPractice,Austria,Vienna,availableathttp://web.mit.edu/6.033/www/papers/dnssec.pdf(accessedJune30,2017). 14Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).


12

TherearehundredsofdifferenttypesofattackswithinthefiveDDoSattackcategories.Mirai

itselfhasaboutadozenDDoSattacksprogrammedintoit.Thebotnetspreadbyscanningfor

opentelnetports(transmissioncontrolprotocolport23).Telnetisacleartextprotocolandisextremelyinsecureandshouldnotbeusedovertheinternet,butthisisexactlyhowMiraiwas

spread.DuringtheDynDNSattack,MiraiusedDNS“watertorture,”15whichitproxiedthrough

severalwell-knownopenresolvers(Google8.8.8.8,forexample).Theattackonthe

KrebsonSecurity16websitewasdesignedtoappearlikethegenericroutingencapsulation(GRE)protocol.17Bothattackscouldhavebeenblockedbyupstreaminternettransitproviders.Inthe

caseoftheDynattack,networkserviceprovidersandtheComm-ISACreachedouttoDynto

offerassistance.

TheKrebsonSecurityattackbeingGRE-basedcouldhavebeenblockedbymostISPs.TheDyn

trafficwasproxiedbywell-knownopenresolvers,soratelimitingthattraffictowardstheDyn

IPscouldhavemitigatedmostoftheeffectsofthatattack.Brobot,whichaffectedmanyU.S.

financialsystems,usedHTTPandHTTPSformostofitsattacks.Blockingitwouldrequirecontentexaminationandfiltering,somethingISPsgenerallydonotdoandcannotdoforHTTPS

withoutholdingtheend-user’sprivatekeys.Malicioustrafficthatisencrypted(e.g.,HTTPS)

cannotbefiltered.

Thelatestattacksillustratethesophisticationandscalethatbotnetshaveachieved.Botnetsaredetectable;thechallengeisstoppingthem.Thebestwaytostopthemistopreventtheir

spreadinthefirstplace.Therealchallengefortheinternetecosystemindealingwithbotnet

threatsistheremediationofinfectedend-points.Withouteitherremediatingtheend-pointor

disconnectingtheinfectedend-pointfromtheinternet,thethreatfromtheinfectedend-pointremains.Ensuringthatend-pointsarerunningthelatestsoftwarewiththelatestsecurity

patchesisarecognizedbestpracticeformitigatingthespreadofandthreatsfrommaliciousand

nefariousbots.

15DNSwatertortureisanattacktypewheremanyend-pointssendqueriesforavictim’sdomainwitharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.16See,https://krebsonsecurity.com.17KrebsonSecurity,KrebsOnSecurityHitWithRecordDDoS(Sept.21,2016),availableathttp://krebsonsecurity.com/tag/gre-ddos/(accessedJuly16,2017).


13

MostBotnetTrafficOriginatesOutsidetheUnitedStates

Thethreatlandscapefrombotnetscontinuestoevolve.Accordingtothreatintelligence

companies,notabletrendsidentifiedinthethreatlandscapein2016arethat:1)insecureIoT

devicesareabigsourceofDDoSattacktraffic;18and2)thevastmajorityoftheattacktraffic

originatesfromoutsidetheUnitedStates.19

In2016,attacksfromIoTdevicesmadeheadlineswiththeMiraibotnetattacksfromimproperly

securedsecuritycamerasandtheirclosed-circuitTV(CCTV)recorders(DVRs).AsnotedbyLevel

3ThreatResearchLabs,manyoftheinsecurecamerasandDVRswerelocatedinTaiwan,Brazil,

andColumbia.20Shodan,21asearchenginethatletstheuserfindspecifictypesofIoTandotherdevicesthatareconnectedandvisibleonthepublicinternet,reports(asofJuly2017)300K+

susceptibleHikvisiondevicesconnecteddirectlytotheinternet,withthevastmajorityofthose

deviceslocatedinBrazil(45,000),India(36,000),China(34,000),Mexico(25,000),andSouth

Korea(20,000).22

Whileattributingtheexactsourceofbotnetattacksisdifficult,itisalmostalwayspossibleto

determinethesourcecountryofthetraffic.Numerousreports23indicatethattheleading

sourcesofattacktrafficareChinaandothercountriesinSoutheastAsia(e.g.,Vietnam,Taiwan,

andThailand).24

Thisisconsistentwithanearlierstudythatshowedastrongcorrelationbetweendevicesused

forbotnetattacksandthecountryinwhichthedevicesreside.Suchdevicesaretypically

runningsoftwarewithoutthelatestsecuritypatches.25Inonestudy,researchersanalyzedsix

18Akamai,StateoftheInternetSecurityQ42016Report(Winter2016),availableathttps://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf(accessedJune20,2017). 19Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017). 20Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).21Seeshodan.io(Shodanscanstheinternetindexingdevicesthatrespondtoportscansonport80,8080,443,8443,21,22,23,161,5060,554,andotherwell-knownports).22Shodan,Searchof“Hikvision,”availableathttps://www.shodan.io/search?query=hikvision(accessedJune20,2017).23SeeAppendixAofthispaperfordatafromdifferentthreatreports.24Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017).25HadiAsghari,MichaelCiere,andMichaelJ.G.VanEten,Post-MortemofaZombie:ConfickerCleanupAfterSixYears,InUSENIXTheAdvancedComputingSystemsAssociation,Proceedingsof24thUSENIXSecuritySymposium,Washington,D.C.(Aug.2015),availableathttps://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf(accessedJune20,2017).


14

yearsoflongitudinaldatafromthesink-holeofConficker,oneofthelargestbotnetseverseen,

toassesstheimpactonbotnetmitigationofnationalanti-botnetinitiatives,aimedatgetting

end-userstocleaninfectedend-usermachines.Theyfoundthatpeakinfectionlevelsstronglycorrelatewithsoftwarepiracy.Thisimpliesthatcountrieswithahighernumberofend-users

runningunlicensedcopiesofsoftwaretendtohavehighernumbersofbotsbecausethose

assetshavealowerpercentageofregisteredusersgettingsecuritypatches.

AsimilarpatternwasseenwiththeMiraibotnet,whichexploitedthefactthataclassofIoTdevicesshippedwithwell-known,defaultlogincredentialsthatend-usersrarelychange.

Vulnerabilitieswithatleastoneofthemanufacturerswerereportedasfarbackas2013.26Only

aftertheMiraibotnetattackwasreporteddidthemanufacturerinquestionprovideafirmwareupdatetoaddressthevulnerabilities,and,eventhen,itrequiredmanualinterventionbydevice

end-userstoupdatethefirmware,asthedevicesdidnotsupportanautomatedmannerfor

securelyupdatingtheirsoftware.

CurrentToolsandTechniques

ApplicationofCybersecurityFrameworkagainstBotnets

TheCybersecurityFramework,developedbyNationalInstituteofStandards&Technology(NIST),27isavoluntaryrisk-based“setofindustrystandardsandbestpracticestohelp

organizationsmanagecybersecurityrisks.”TheFrameworkiscomposedoffivefunctionalareas

–1)Identify,2)Detect,3)Protect,4)Respond,and5)Recover.TheleadingISPsusethe

Frameworkaspartoftheiroverallcyberriskmanagementprocessestoaddressthethreatsposedbybotsandbotnetsagainsttheirnetworks.

Identify

IntheFramework,thefirststepisidentifyingbothwhatneedstobeprotectedandwhatarethe

cyberthreats.TheFederalCommunicationsCommission’s(FCC)CommunicationsSecurity,

26DepartmentofHomeland(DHS)SecurityOfficeofCybersecurityandCommunications,VulnerabilityNoteVU#800094-DahuaSecurityDVRscontainmultiplevulnerabilities(Dec.4,2013),availableathttp://www.kb.cert.org/vuls/id/800094(accessedJune20,2017). 27NationalInstituteofStandardsandTechnology,CybersecurityFramework(May25,2017),availableathttps://www.nist.gov/cyberframework(accessedJune20,2017).


15

ReliabilityandInteroperabilityCouncil(CSRIC)IVWorkingGroup4finalreport,Cybersecurity

RiskManagementandBestPractices,providesimplementationguidanceontheuseofthe

Frameworkfornetworkserviceproviders.ISPs,aspartofthecriticalinfrastructure,haveidentifiedthattheyneedtoprotecttheircorenetworksfromcybersecuritythreatssuchasbots

andbotnets.ISPsmayalso,aspartofamanagedsecurityservice,protecttheircustomersfrom

theharmsofcyberthreats.

Inadditiontoidentifyingwhatneedstobeprotected,networkserviceprovidersusetheFrameworkandothertoolstoidentifythethreats.Thefirststepisidentifyingtheattack

surfacesoftheassetstobeprotectedandthenidentifyingtheknownattackvectors.This

informationiscontinuouslysynthesizedwiththreatintelligencedatatoensurecomprehensivecoverageandtoidentify,andultimatelyaddress,newvulnerabilities.Obtaininghigh-quality

cyberthreatdataisoneofthemostimportantaspectsofimplementingandrunningastrong

botnetmitigationprogram.Fortheprogramtobeeffective,nearzerofalsepositivedatais

needed.Falsepositivescangreatlyincreaseanetworkserviceprovider’soperatingcosts,impactitscustomersatisfaction,anddamageitsbrand.AsoutlinedintheCSRICVWorking

Group5reportonCybersecurityInformationSharing,28networkserviceprovidershave

developedaninformationsharingecosystemtobothuseandsharecyberthreatindicator

informationfromanarrayofsources,toidentifybotnetsandtheirassociatedthreats.Includedinthisecosystemaretrustedthird-party(TTP)datafeeds,informationfromDHSincludingits

AutomatedInformationSharing(AIS)system,andinter-sectorinformationsharing.

Detect

AsoutlinedintheFramework,detectionofthreatsandattacksisthenextstepinprotecting

networksfrombotnetattacks.Asdescribedearlier,botnetattackscomeinmanyforms,so

detectingthemrequiresanarrayoftoolsandtechniquestailoredforeachkindofattack.Regardlessofthetypeofbotnetattack,networkserviceprovidersuseacoresetoftechniques,

includingpacketsampling,signatureanalysis,andheuristicorbehavioralanalysis.

Manybotnetsattempttodisguisetheirtrafficasnormalinternettraffic.Thismakesit

particularlydifficulttodetecthighlydistributedbotnetsorlow-volumetrafficbotnets,asthe

28FCCCSRICV,WorkingGroup5:CybersecurityInformationSharing,FinalReport(Mar.15,2017),availableathttps://www.fcc.gov/files/csric5-wg5-finalreport031517pdf(accessedJune20,2017).


16

trafficwillbebelowthealarmthresholdsonanysingleoperator’snetwork.Forexample,during

theMiraiDynDNSwaterboardingattack,theattackersproxiedtheirrequeststhroughwell-

knownopenDNSresolvers.29

Protect

Networkserviceprovidersuseavarietyoftechniquestoprotecttheirnetworksfromattacksandundertakemeasurestohelptheircustomersprotectthemselvesfromattacks.

Networkserviceprovidersusedifferentfilteringtechniquestodirectlyprotecttheirnetwork

infrastructure(e.g.,routers,servers).BotsoftenspoofthesourceIPaddressintheattack

packets.Thisistypicallyseeninnetworkreflectionattacks,butasseeninhighvolumeattackssuchastheMiraibotnetorDynattack,thiscanbeaccomplishedevenwithoutIPspoofing.

Regardless,asabestcommonpractice,most,ifnotall,networkserviceprovidersperform

networkfilteringforspoofedIPaddresses.30

NetworkserviceprovidersalsouseacombinationofotherfilteringtechniquessuchasAccessControlLists(ACLs),trafficpolicing,blackholing,andsinkholingintheirnetworkstofilter

knownbotnettraffic.ThesetechniquescanbeeffectiveforneutralizingtheC&Ctrafficfor

client-serverbotnets.Thisislesseffectiveagainstmoreadvancedbotnetsthatusepeer-to-peerarchitecture,encryption,and/orfastfluxDNStechniquesfortheirC&Cchannel.Fastfluxisa

DNStechniqueusedbybotnetstohidephishingandmalwaredeliverysitesbehindanever-

changingnetworkofcompromisedhostsactingasproxies.

NetworkserviceprovidersalsohavemadelargeinvestmentsinDDoSscrubbingsystemsto“scrub”outDDoSattacksagainsttheirnetworksandtheircustomerswhohavepurchasedDDoS

mitigationservices.DDoSscrubbingsystemsrelyupondivertingthevictim’strafficthroughthe

scrubber“on-demand”tofilteroutattacktrafficfromgoodtraffic,andthenplaceitbackonthe

provider’snetworktosendittoitsoriginaldestination.Networkserviceprovidersuseacombinationofin-housescrubbingsystemsandthird-partyscrubbingsystemsviacontractswith

29ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017). 30P.FergusonandD.Senie,NetworkIngressFiltering:DefeatingDenialofServiceAttackswhichemployIPSourceAddressSpoofing,BestCurrentPractice(BCP)38(May2000),availableathttps://tools.ietf.org/html/bcp38(accessedJune20,20170;F.Baker,andP.Savola,IngressFilteringforMultihomedNetworks,BCP84(Mar.2004),availableathttps://tools.ietf.org/html/bcp84(accessedJune20,2017);andMutuallyAgreedNormsforRoutingSecurity(MANRS),Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017).


17

thirdpartyDDoSmitigationproviders.However,networkserviceprovidersdonothavethe

capacitytoscruballtrafficallofthetime.

Inadditiontoscrubbingtraffic,manyprovidersusetheFlowspec31capabilitiesofBGPtodynamicallyblockeasilyidentifiabletrafficontherouter.Thetrafficisusuallyblockedusingthe

basicfive-tupleofvaluesfoundinIPFIX32(sourceanddestinationIP,sourceanddestination

port,andprotocol).FlowspecisadvantageousinthatBGPupdatescanbemadeandwithdrawn

fairlyquicklyinthenetwork,allowingforfastermitigation.

Networkserviceprovidersalsocanprovidespecifictoolsandservicestotheircustomersto

protectthemselves,includingend-pointanti-virussoftwareandhomegatewayswithintegrated

security.33LargeISPcustomersoperatingstubnetworksoredgeprovidersalsocanuseatechniquetomitigateDDoSattacksknownasAnycast,whichallowsmultiplehostsorend-points

tohavethesameIPaddress.Bygeographicallydistributingthesehosts,themagnitudeofthe

DDoSattackneedstobesignificantlylargertoaccountforthedistributedhostsandsucceedat

disruptingthesiteorservice.AnycastservicescanbedeployedbyedgeprovidersorpurchasedfromDDoSmitigationpartners.

Severalnetworkserviceprovidersalsoofferasuiteofmanagedsecurityservicesincludingbut

notlimitedtotheDDoSscrubbingservicesmentionedabove.Thesecanincludecapabilities

suchasnetworkbasedfirewalls,mobiledevicemanagementservices,threatanalysisandeventdetection,secureVPNconnectivitytothecloud,andwebandemailsecurity.

Respond&Recover

Today,asoutlinedintheCybersecurityFramework,whenanetworkserviceproviderdetects

malicioustrafficfromaboteitheronitsnetworkortowardanend-pointonitsnetwork,it

respondsandrecoversasnecessary.Theresponseconsistsofmitigatingtheimpactfromthe

malicioustraffic,and,ifnecessary,remediatingtheinfectedend-point.

Tomitigatethemalicioustraffic,thenetworkserviceprovidermustfirstdeterminethescopeof

theimpactfromthemalicioustraffic.Formalicioustrafficthatisimpactingitsnetworkorits

31LeonardoSerodio,TrafficDiversionTechniquesforDDoSMitigationusingBGPFlowspec(May2013),availableathttps://nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf(accessedJuly7,2017). 32B.Claise,B.Trammell,andP.Aitken,SpecificationoftheIPFlowInformationExport(IPFIX)ProtocolfortheExchangeofFlowInformation,IETFTools(Sept.2013),availableathttps://tools.ietf.org/html/rfc7011(accessedJuly7,2017). 33McAfee,McAfeeWebGateway,availableathttps://www.mcafee.com/us/products/web-gateway.aspx(accessedJuly7,2017).


18

abilitytodeliverservice,thenetworkserviceproviderwillneedtoworktofilteroutthe

malicioustrafficusingoneofthefilteringtechniques(e.g.,ACL,blackhole,sinkhole,orscrub)

describedearlier.Inaddition,ifthemalicioustrafficisinboundtowarditsnetwork,thenetworkserviceprovidermaycontacttheupstreamnetworkandaskittofilterthetrafficemanating

fromthatnetwork.

Formalicioustrafficthatisdeterminedtobeemanatingfromacustomerend-pointonits

network,thenetworkserviceprovider,asrecommendedinthevoluntaryAnti-BotCodeofConductforInternetServiceProviders(ABCforISPs)34will:

• Detect–identifyanddetectbotnetactivityintheISP’snetworkoronbehalfofenterprisecustomerswhohavepurchasedservicesfromtheISPtodeterminepotential

botinfectionsonend-userdevices;

• Notify–notifyend-users,includingpotentiallybothconsumersandenterprisebusinessclientsofsuspectedbotinfections;

• Remediate–provideinformationtoend-usersabouthowtheycanremediatebotinfectionsand/oractivelyassistenterprisebusinessclientsinremediatingtheimpactsofbotnets;and

• Collaborate–providefeedbackandexperienceslearnedtootherISPs.

EmergingSolutionsTheinternetecosystemiscontinuingtoimproveitsabilitytomitigatetheattacksfrombotnets.Effortsareunderwaytoimprovebothdetectionandmitigationcapabilities.

TechnologicalApproaches.Alargenumberofmalwareusesatechniqueknownasadomain

generationalgorithm(DGA)toperiodicallygeneratealargenumberofdomainnamesthatcan

beusedasrendezvouspointsfortheirC&Cserversinanattempttoobfuscatethebotnet’strueinfrastructure.Currently,securityinvestigatorscanworktoreverseengineertheDGAusedby

eachvariantofmalware.Thereverseengineeringcanbeatime-consumingprocess,andis

oftenanineffectivewhack-a-moleapproach.Toaddressthisissue,industryhasbeeninvestigatinghowtoapplymachinelearningtoautomatetheprocessandworkinreal-timeas

34MessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG),ABCsforISPs,availableathttps://www.m3aawg.org/abcs-for-ISP-code(accessedJune20,2017).


19

themalwareregistersdomainnameswithaninternetregistry.Effortsareunderwayto

commercializeandintegratemachinelearningforbotnetdetectionintonetworkprotection

products.

Newerbotnetsnowoftenuseencryption(e.g.,TLS35)tohidetheirC&Cchannel.TheSecure

SocketsLayerSSLBlacklist(SSBL)project36illustratesthateventhoughthebotnetisusing

encryption,itisstillpossibletodetectthebotnet.Itispossibletoidentifythebot’sC&Ctraffic

byinspectingthemaliciousSSLcertificatestogenerateauniqueSHA-137fingerprintforeachbotnetusingdeeppacketinspection(DPI).Effortsareunderwaytocommercializethisapproach

andintegratethemethodsintonetworkprotectionsystemstoallowforreal-timefingerprinting

andmitigationofbotnets.

Inaddition,researchersaredevelopingtheuseoftarpitsatnetworkscaletoslowthe

propagationofbotnets.38ResearchersareinvestigatinghowtoturnunusedIPaddressspace

intobotnettarpits.39Thebasicideaistorouteallinboundtrafficthatisaddressedtothe

unusedIPaddressestothetarpit.Thetarpithasasetofprogrammedrulesforhowtorespond,andtherebyextendsthetimeittakesforabotnettoworkitswayupthekillchain.40By

extendingthetime,thetargetsoftheattackhavemoretimetodeterminewhatadditional

defensivemeasuresneedtobeputinplacetoneutralizetheattack,ifany.

Inadditiontotarpits,networkprovidershaveundertakeneffortstodeterminehowtoleveragethefeaturesofSoftwareDefinedNetworks(SDNs)tohelpmitigateattacksfrombotnets.SDNs

providethecapabilitytodynamicallycreateoverlaynetworks.Whencombinedwithother

networkpartitioningtechniquesandtechnology,itbecomespossibletodynamicallycreate

virtuallanesforthedifferentIP-basedservices.Withthisapproach,IoTproviderscanworkwithnetworkserviceproviderstocreateend-to-endvirtuallanesfromtheIoTdevicethroughthe

networktothecloud-basedservice.ThisprocessensuresacompromisedIoTdevicecannot

35E.RescorlaandN.Modaugu,DatagramTransportLayerSecurityVersion1.2,IETFTools(Jan.2012),availableathttps://tools.ietf.org/html/rfc6347 (accessedJune20,2017). 36SSLBlacklist,SSLBlacklist,availableathttps://sslbl.abuse.ch/blacklist/(accessedJune20,2017). 37SHA-1–SecureHashAlgorithm1isacryptographichashfunctionthatgeneratesa20bytehashkeyusedbymanysecurityapplicationsandprotocolsincludingTLSandSSLaspartofencryptingdata.38Labrea,TomListonTalksaboutLabrea,availableathttp://labrea.sourceforge.net/Intro-History.html(accessedJuly17,2017). 39Tarpitsaredefensivemeasuresagainstattackswheretheserverpurposelydelaysincomingconnectionstomakespammingandbroadscanninglesseffective.40EricHutchins,MichaelCloppert,andRohanAmin,Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains,CNDPapers(Nov.21,2010),availableathttp://papers.rohanamin.com/?p=15(accessedJuly7,2017).


20

communicatewithunauthorizedendpoints.Inotherwords,acompromiseddevicecouldnotbe

usedinaDDoSattackorsendinformationtonon-authorizedhosts.TheNetworkSlicingfeature

in5Gnetworksisagoodexampleofthis,41andsimilarapproachesarebeinginvestigatedforSDN-enabledwirelinenetworks.

CollaborationInitiatives.Severalindustry-ledinitiativesareunderwaytoimproveautomated

cyberthreatinformationsharing.TheCybersecurityInformationSharingAct(CISA),enactedin

2015,andthesubsequentrolloutoftheDHSAutomatedInformationSharing(AIS)capabilityarehelpingtofacilitatemachine-to-machine(M2M)initiatives.

ThereareatleasttwootherautomatedM2Msharinginitiativesthatmaybeusefulin

combattingbotnets.Bothhaveacommongoalofensuringthatthecyberthreatinformationbeingsharedis“actionable”bytherecipient.Theparadigminthepastoftenhasbeenfor

networkstotrytobuildbetterprotectionattheirnetworkingresspoints.Theseinitiativesshare

informationwithneighboringnetworkstomitigatethethreatasclosetothesourceofthe

malicioustrafficaspossible.

TheInternetEngineeringTaskForce(IETF)isdevelopingaprotocolcalledDDOSOpenThreat

Signaling(DOTS)42forthereal-timeexchangeofDDoS-relatedtelemetrybetweenDDoS

mitigationnetworkelements.TheIETFDOTSprotocolisworkingtoimprovethecooperation

betweenDDoSattackvictimsandpartiesthatcanhelpinmitigatingsuchattacks.TheprotocolwillsupportrequestsforDDoSmitigationservicesandstatusupdatesacrossinter-organizational

administrativeboundaries(e.g.,network-to-network).

TheMessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG)DDoSspecialinterest

group43membersarecollaboratingonasimilarendeavor.M3AAWGisdevelopinganapplicationprograminterface(API),datastore,andopensourcereferenceimplementationsfor

networkserviceproviderstoshareDDoSthreatindicatorsforthepurposeofidentifyingsources

ofDDoSattacktraffic,butnotformitigatingattacksinrealtime.M3AAWG’sapproachallowsnetworkserviceproviderstosharethesourceIPaddressesfortheinboundIPflowsthattheir

DDoSdetectionsystemsidentifyinananonymousfashionwiththenetworkonwhichtheDDoS

41See5GAmericas,NetworkSlicingfor5GNetworks&Services,availableathttp://www.5gamericas.org/files/3214/7975/0104/5G_Americas_Network_Slicing_11.21_Final.pdf(accessedJuly7,2017).42IETF,DDoSOpenThreatSignaling(dots),availableathttps://datatracker.ietf.org/wg/dots/about/(accessedJune20,2017). 43M3AAWG,M3AAWGIssuesNewPapersExplainingPasswordSecurity,MultifactorAuthentication,EncryptionUseandDDoSSafeguards;AnnouncesLeadershipandCommitteeChairs,PressRelease(Apr.4,2017),availableathttps://www.m3aawg.org/news/rel-leadership-papers-2017-04(accessedJune20,2017).


21

attackoriginated.ThisallowsnetworkoperatorstocleanupthesourcesofDDoSattacktraffic.

BysharingonlythesourceIPaddress,thisapproachiscompatiblewithmostoftheglobal

privacylawswithrespecttothesharingofidentifiableinformation.

ChallengesandOpportunitiesCybersecurityissharedresponsibility.Reducingthethreatsfrombots,botnets,andtheirautomatedattacksrequiresthecooperationandcollaborationbyallmembersoftheinternet

ecosystem.Thissectionidentifiesanumberofareaswherethethreatspresentedbybotsand

botnetscanbereducedwithbettercooperationandcollaborationbymembersoftheinternetecosystem.

BotnetTakedowns

Challenge–Notechniqueismoreeffectivethanlawenforcementactionsthatleadtothearrest

oftheperpetrators.Thisistheonlysolutionthataddressestherootcauseoftheproblem,andnotjustasymptom.Unfortunately,executingabotnettakedownrequiressignificantupfront

forensicanalysisandcarefulcoordinationamongmanystakeholders,oftenacrossinternational

borders.Alimitingfactorintheoverallvelocityofbotnettakedownsisthelackoflaw

enforcementresources.Theotherchallengeisthatmostbotnetsareinternationalinnature,requiringresource-intensiveandtime-consumingcooperationbetweennations.

Opportunity–Additionallawenforcementresourcesandstreamlininginternationalprocesses

wouldaidtheoverallbotnettakedownprocess.

ActionableCyberThreatInformation

Challenge-Networkserviceprovidersmusthavebothaccurateandactionablecyberthreat

informationtobeabletoquicklyneutralizebotnets.Forinformationtobeactionable,thecyber

threatindicatorhastobecorrelatedtoasingleend-point.Manyofthedatafeedsusedandsharedbyenterprisearelong-termIPreputationlistsoflittlevaluetonetworkserviceproviders

thatoperatenetworkswithalargesetofsubscribersthathavedynamicallyassignedIP

addresseswithshortleases.Thismeansthecyberthreatindicatormustbetimelyandeither

includethecurrentIPaddressortheIPaddressandatime-stampofthemaliciousactivity.


22

ThesameistrueforIPaddressesofthebotnetC&Cservers.C&Cserversoftendonothavea

staticIPaddress.OftentheC&CserversareonsharedhostswhereasingleIPaddressisshared

bymultiplehosts.Inaddition,theC&CserversmayhaveapoolofIPaddressesorsharedhoststhattheyrotatethrough.

Networkserviceprovidersneedasingle,highlyreliable,near-termindicationthatanIPaddress

hasgeneratedmalicioustrafficorhasbeenscannedtoshowexposedvulnerableservices,as

wellasthecompromisedhosts.

Opportunities-Expertsagreethatcyberthreatinformationneedstobetimelyandtargetedto

beeffective.ThecyberinformationsharinginitiativesoftheIETF’sDOTSWorkingGroupand

theM3AAWGDDoSSIGarestepsintherightdirection.DHS’sAIS44alsoprovidesanopportunitytoimproveandenhancethetimelyandtailoredsharingofcyberthreatindicators

tomeetrecipients’needs.

NetworkAddressTranslation

Challenge–WirelineISPsoperatingIPv4networkstypicallyprovidearesidentialsubscriberwithasinglepublicIPv4address.Theresidentialsubscriberoftenusesahomerouterthatincludesa

networkaddresstranslation(NAT)function,whichallowsthemtosharetheironepublicIPv4

addresswithmultipledevicesinthehome.

WhenanISPreceivesinformationaboutaresidentialsubscribersendingmalicioustraffic,thatinformation,atbest,canonlycontaintheIPv4addressassignedtothecustomerandnotthatof

theactualend-pointbehindthehomerouter.TheuseofNATtechnologymakesitdifficultfor

theISPtoidentifythespecificdeviceinthesubscriber’shomethatissendingmalicioustraffic.

Opportunity-IPv6eliminatestheneedtouseNATforIPaddresssharing,aseverydeviceconnectedtotheinternetcanhaveapubliclyroutableIPv6address.Whilenotapanacea,the

eliminationofNATroutersmaymakeiteasiertoidentifyend-devicestransmittingmalicious

trafficundercertaincircumstances,andtofilterthesuspecttrafficappropriately.AsofJune

44DHS,AutomatedIndicatorSharing(AIS),availableathttps://www.dhs.gov/ais(accessedJune20,2017).


23

2017,IPv6adoptionbynetworkproviderswasapproximately19%globally,45and35%and

growingwithintheU.S.

Off-NetTraffic

Challenges-Aswidelydistributedglobalnetworks,mostbotsandtheirC&Cserversareoutside

thenetworkserviceprovider’snetworkandadministrativecontrol.Infact,numerousreports

makeclearthattheoverwhelmingmajorityofbotnettrafficoriginatesoutsidetheU.S.46

Furthermore,inmostcases,onlyasmallportionofanetworkserviceprovider’send-pointsmay

beinfectedbyanysinglebotnet,andtheamountoftrafficgeneratedbythebotnetonthe

networkwillbeminiscule.Thissmallamountoftrafficcanbeverydifficulttodetectasitwill

nottriggermanyofthenetworkmonitoringthresholdsthatanetworkserviceproviderhasinplace.

Opportunity-Toaddressbothofthesechallengesrequirescollaborationamongnetwork

serviceproviders,asoneofthemosteffectivemeasuresistofilterthetrafficasclosetothe

deviceinfectedwiththebot.Anytransitorpeeringagreementsshouldincludelanguagethataddressesavailabilityandscrubbingoftraffictoallowfornetworkoperatorstoaskthe

upstreamprovider(s)tofiltermalicioustraffic.

End-UserNotifications

Challenge-Notifyingandgettingend-userstotakeactioncontinuestobeachallenge.Therearemultiplewaysthatmembersoftheinternetecosystemcannotifyanend-user:47

• Email;

• Telephonecall;

• Postalmail;

45Google,IPv6Adoption(June18,2017),availableathttps://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption&tab=per-country-ipv6-adoption(accessedJune20,2017). 46Incapsula.com,GlobalDDoSThreatLandscapeQ42016(Winter2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q4-2016.html(accessedJune20,2017). 47MichaelGlenn,MalwareNotificationandRemediationToolsandTechniques,CenturyLinkpresentationtoNISTWorkshop:TechnicalAspectsofBotnet(May30,2012),availableathttps://www.nist.gov/sites/default/files/documents/itl/csd/centurylink_malware_notification_and_remediation.pdf(accessedJune20,2017).


24

• Textmessage;

• Webbrowsernotification;

• Walledgarden;and

• OtherMethods.48

AstudycommissionedbyM3AAWGtodeterminetheeffectivenessofvariousnotificationand

remediationmethodsshowedthatthetwomosteffectivemethodsareatelephonecalltothedeviceuserandpostalmail.49ThegrowinguseofIoTdevicesinhomespresentsnewchallenges

innotifyingend-users.IoTdevicesoftenhavelimiteduserinterfaces,thusnegatinganumberof

thenotificationmethods(webbrowser,walledgarden,etc.).ThisisfurthercompoundedbythefactthatanISPcanonlynotifyanend-userthat“adevice”intheirhomeisinfected,andcannot

identifythespecificcorrupteddevice.

Opportunities–Variousmeasuresexisttoimprovedeviceidentificationgoingforward.Better

designedIoTdevicesthatadheretoindustrystandardssuchasthosebeingdevelopedbytheOpenConnectivityFoundation(OCF)50isoneavenuetoimprovesecurity.And,asnotedearlier,

networkoperatorsupportforIPv6willaidinboththeidentificationoftheinfecteddevice,as

wellasnotifyingtheuserofthedevice.

FastFluxDNS

Challenge–Theuseoffastflux51bymalwareandbotnetstohidetheirinfrastructurecontinues

togrow.FastfluxisaDNStechniquewherenumerousIPaddressesassociatedwithasingle

domainnameareswappedinandoutwithextremelyhighfrequency.Fastfluxeffectivelyhides

thecomputersorserversthatareperformingthemaliciousattacksfrombeingdetected.FastfluxmakescuttingoffcontactofthebotstotheC&CserversdifficultorimpossiblebyIPaddress

filteringalone.

Opportunity–In2008,theICANNSecurityandStabilityAdvisoryCommittee(SSAC)publishedasecurityadvisorythatmadeanumberofmitigationrecommendationstoaddressfastfluxDNS

48Othermethodsmayincludesocialmediamessage,alerttotheTVviatheset-top-box,directdepositvoicemailmessage,etc.49GeorgiaTechResearchers,DNSChangerRemediationStudy,PresentationtoM3AAWG27thGeneralMeeting,SanFrancisco,CA(Feb.19,2013),availableathttps://www.m3aawg.org/sites/default/files/document/GeorgiaTech_DNSChanger_Study-2013-02-19.pdf(accessedJune20,2017).50SeeOpenConnectivityFoundation,availableathttps://openconnectivity.org/(accessedJune20,2017).51ICANNSecurityandStabilityAdvisoryCommittee(SSAC),SAC025SSACAdvisoryonFastFluxHostingandDNS(Mar.2008),availableathttps://www.icann.org/en/system/files/files/sac-025-en.pdf(accessedJune20,2017).


25

techniques.Amongitsfindingsandrecommendations,theSSACencouragedICANN,registries,

andregistrarstoconsiderthefastfluxmitigationpracticesintheadvisory.

Sincethattime,advancementsinmachinelearninghavebeenappliedtodetectingbotnetsusingfastfluxDNStechniques.Advancementsintheapplicationofmachinelearningtodetect

botnetsthataremakingchangestoDNSentriesenablesautomationandintegrationintobotnet

detectionsystems.

InsecureIoTDevices

Challenge–Asdiscussedthroughoutthispaper,thegrowinginstalledbaseofIoTdevicesis

makingsuchdevicesattractivetargetsforcybercriminalstoinfectwithbotcode.Agood

exampleistherecentMiraibotnetattack,inwhichunsecured,internet-connectedIoTsecuritycameraswereinfectedtogenerateamassiveDDoSattack.Thisisnotanewphenomenon;the

problemhasbeenaroundforyears,asforyears,manyconsumer-gradehomeroutersshipped

withknownvulnerabilitiesthathavebeenexploitedtogeneratelarge-scaleDNSamplification

attacks.

Thetypesofknownvulnerabilities52foundinmanyIoTdevicesonthemarkettodayinclude:

• ShippingIoTdeviceswithout-of-datesoftwarecontainingknownvulnerabilitiesandlackingthecapabilityforanautomatedsoftwareupdate;

• Protectiononlybyfactorydefaultorhardcodedusernamesandpasswords;

• Unauthenticatedcommunications;

• Unencryptedcommunications;and

• Lackofmutualauthenticationandauthorization.

InsecureIoTdevicespresentauniquechallengeasoncetheyarecompromiseditisoftenimpossiblefortheend-usertodetectthattheyhavebeencompromisedand,asnotedearlier,it

isdifficultforanetworkserviceprovidertonotifytheend-userthattheirdevicehasbeen

compromised.Evenaftertheend-userisawareofthecompromise,itisoftenimpossibleto

52BroadbandInternetTechnicalAdvisoryGroup(BITAG),InternetofThingsSecurityandPrivacyRecommendations(Nov.2016),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).


26

remediatetheproblemduetoeitherthelackofasoftwareupdateand/orlackofautomated

softwareupdates.

Opportunity-IoTdevicescanbebettersecuredthroughtheuseofnetwork/pathisolation.53Network/pathisolationtechniques(VPNs,VLANs,policybasedrouting,networkslicing,etc.)can

beusedtocreateindependentlogicaltrafficpaths.Theseindependentlogicaltrafficpaths

ensuretheIoTtrafficcanonlyreachthedesignatedendpoints.Thishelpstomitigatethe

impactsofanymalicioustrafficthatacompromisedIoTdevicemaysend.

Withtheadvancesinnetworkfunctionvirtualization(NFV)andSDNs,opportunitiesexistforIoT

manufacturerstodesigndevicestousenetwork/pathisolationtechniquesaspartoftheir

service.Additionally,opportunitiesexistfornetworkserviceproviderstooffernetwork/pathisolationasaservicetoIoTprovidersorend-usersfortheirIoTdevices.

AmplificationAttacks

Challenge-AnamplificationattackisatypeofDDoSattackthattakesadvantageofthefactthat

asmallquerysuchasaDNSquerycangenerateamuchlargerresponse.Whencombinedwithsourceaddressspoofing,anattackercandirectalargevolumeofnetworktraffictoatarget

system.TheasymmetricnatureofamplificationattacksmakesitthepreferredchoiceforDDoS

attacks.AmplificationattacksoftenleverageUDPbasedprotocolssuchastheDNSprotocol,

networktimeprotocol(NTP),charactergenerator(CharGEN),andquoteoftheday(QOTD).Approximately15internetprotocolsaresusceptibletoamplificationattacks.54Internet

engineersdevelopedanextensiontotheDNSprotocol,calledDNSSecurity(DNSSEC)toaddress

DNSvulnerabilitytoDNScachepoisoning.Unfortunately,asideeffectofthisfixisthatthe

securityextensiontoDNSmakestheDNSresponsesmuchlargerandhelpstofurtheramplifytheattack.

Theimplementationofsourceaddressvalidation(SAV)55asrecommendedinIETFBCP38/84

preventsamplificationattackswithspoofedsourceaddresses.AlthoughmostlargeU.S.

53Cisco,NetworkVirtualization--PathIsolationDesignGuide(July22,2008),availableathttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html(accessedJune20,2017). 54UnitedStatesComputerEmergencyReadinessTeam(US-CERT),UDP-BasedAmplificationAttacks,Alert(TA14-017A)(Nov.4,2016),availableathttps://www.us-cert.gov/ncas/alerts/TA14-017A(accessedJune20,2017). 55SAVhasbeenabestpracticebyISPsforalongtime(seeIETF2267publishedin1998),butduetothedifficultyofimplementingSAVinsomecommercialsituationsitmaynotbefullyimplementedacrossISPs’networks.


27

networkserviceproviders56haveimplementedsourceaddressvalidation,approximately30%of

theoverallIPaddressspaceisstillspoofable.57

Opportunity-TheuseofIPfilteringorsourceaddressvalidation(SAV)asoutlinedintheIETF’sbestcommonpractices(BCP)38and84forspoofedIPaddressesisaproventechniqueto

mitigateDDoSamplificationattacksusingspoofedsourceaddresses.

TheMutuallyAgreedNormsforRoutingSecurity(MANRS)58isanindustry-ledefforttocodifya

setofsharedvaluesfornetworkoperatorsintoasetofdefinitionsandidealbehaviors.MANRSrecommendstheimplementationofanti-spoofingfilteringtopreventpacketswithincorrect

sourceIPaddressesfromenteringorleavingthenetwork.Todate,over45networkoperators

areparticipatinginMANRS.TheopportunityexiststogetthespoofableaddressspacetonearzerowitheverynetworkoperatorparticipatinginMANRS.

Network-to-NetworkCoordinatedNetworkManagement

Challenge-Althoughnetworkmanagementmaysoundsimpleanddesirable,itisnotwithout

challenges,especiallygiventhenegativeimpactoninternetend-users.Ideallybotnetmitigationswouldbefastanddirectedatthesourceoftheattack.Advancementsinhow

networksarearchitectedusingSDNsandtheuseofautomatedM2Msharingofcyberthreat

indicatorsstarttomakeittechnicallyviablefornetworkoperatorstoautomatethecoordination

oftheirbotnetmitigationsandreducetheresponsetimetowheneitheramaliciousbotisdetectedonanetworkorabotnetisinitiatinganattack.Buttherearechallenges,rangingfrom

technicaltocontractual,andpolicyissues.

Thetechnicalchallengesincludebothdetectionandmitigation.Withoutasourceofground

truthforwhatisandisn’tbotnettraffic,givenbotnettrafficisoftendesignedtolooklikenormalinternettraffic,thereisthepotentialforfalsepositives.Evenwithasourceofgroundtruth,

botnetmitigationmethodswillvaryfromnetworktonetworkduetoinherentdifferencesin

56MANRS,Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017). 57CenterforAppliedInternetDataAnalysis,StateofIPSpoofing,availableathttps://spoofer.caida.org/summary.php(accessedJune20,2017). 58MANRS,MutuallyAgreedNormsforRoutingSecurity(MANRS)Document(Sept.8,2016),availableathttp://www.routingmanifesto.org/manrs/(accessedJune20,2017).


28

howthenetworksaredesignedandbuilt,aswellasthedifferencesinservicelevelagreements

betweennetworkserviceprovidersandtheircustomers.

Blindlymitigatingbotnetsthroughtheuseautomationisfraughtwithrisks.Therearemanycaseswhereacommandandcontrolserverisnotownedorcompletelyunderthecontrolofthe

botoperatorsuchas:1)sharedserverDNS,2)sharedIPs,and3)publicwebsites.59Blindly

applyingabotnetmitigationmethodsuchasfilteringtheIPaddresswouldpreventallthe

servicesthatsharetheresource(e.g.,DNS,sharedserver,orservice)frombeingaccessible.Thechallengeisnotlimitedtosharedresources.Withoutfullknowledgeoftheservicelevel

agreementinplacebetweenthenetworkserviceproviderandcustomer,anetworkservice

cannotblindlyfilterthetraffictothatend-point.

Inaddition,withinthetelecom/ISPindustrythereisanemergingtrendtowardtheadoptionof

SDN,whichisstillinitsinfancy,butgenerallydescribestheautomationofmanagementand

orchestrationofnetworkassetsandservices.Typically,thisincludesthecouplingofbigdata

frameworksthatleverageadvancedanalyticsandmachinelearningtoserveasfeedbackloopsfortheseSDN-drivennetworkstopredict,recommend,andprescribeinanefforttoimprove

responsivenessandresilienceoftheirassetsandservices.Suchimplementationsvarywidelyin

termsofcapabilityandmaturityacrossproviders,andinmostcasesreflecthighlyprotected

intellectualpropertythatprovidesauniquelycompetitiveexperienceandofferings.Nevertheless,suchanecosystemcouldbeusedasanattackmitigationstrategy.

DeploymentofSDNandthesetoolsiswellbeyondtheconceptualstages;itisthecomplexity

andcostofglobalimplementationacrosshighlyheterogeneousnetworksthatstandas

obstaclestoproviders’speedinimplementingthem.

Opportunity–Bettercollaborationandcoordinationcanreducethetimethatittakesto

respondtocyberthreats.Asmentionedearlier,industryisdevelopingsolutionssuchastheIETF

DOTS,M3AAWGDDoSSIG’sinformationsharingpilot,andaninformationsharingpilotbeingledbyCTIAthatwillreducetheresponsetimebysharing“actionable”cyberthreatinformation.In

addition,asthreatinformationsharingplatformsmatureintheircapabilities,thiswillaidin

reducingnetworkoperators’responsetime.

59PublicwebsitesincludesiteslikeTwitter,AmazonAWS,GoogleCloud,andRapidshare.


29

Thekeyforanysuccessfulcoordinatednetworkmanagementagainstbotnetsisclose,trusted

collaborationandcommunicationsbetweenstakeholders.

IndustryRecommendationsThispapersetsforthsomeoftheproblemspresentedbybotsandbotnetsandthechallenges

andopportunitiesfacingtheownersandoperatorsofbroadbandnetworks.Thefollowingsectionfocusesonthepreliminaryrecommendationsthatmaybeactionablebynotonly

networkserviceprovidersbuttheentireinternetecosystemtohelpreducethethreatsfrom

botnetsusingexistingtechnology.ThepreliminaryrecommendationsherearefromtheCSCC’sperspective.Thereisaneedtodiscussbestpracticesandcapabilitiesforallsegmentsofthe

ecosystemincludingsoftwaredevelopersalongwithcloud,hosting,andapplication

infrastructureproviders.

AttackMitigation

• EncouragecontinuedmigrationtoallIPv6.

ThebroaduseofIPv6willallowdevicestohaveauniqueaddressandcanmakeiteasiertotrackdownthesourceofmalicioustrafficundercertaincircumstances.

• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeettheneedsofrecipients.

Cyberthreatinformationthatissharedbetweeninternetstakeholdersneedstobeactionablebytherecipients.Informationsharingpoolparticipantsshouldtailorthe

informationtheysharewiththeirpeerstobeactionable.

• Includepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements.

Networkserviceoperatorsofallsizes(ISPs,enterprises,governments,educationalinstitutions,etc.)andend-usersshouldensuretheyhaveprovisionsinplacewiththeir


30

internettransitprovidersandpeeringnetworkstoprovideforupstreamfilteringand

scrubbingofmalicioustraffic.

• Streamlinethelawenforcementbotnettakedownprocess.

Lawenforcementcanplayakeyroleinneutralizingbotnets.Effortsarenecessaryto

streamlinethelawenforcementprocesstoincreasethespeedandefficacyoflaw

enforcementbotnettakedowns.

• EncourageICANN,registries,andregistrarstoadoptthefastfluxmitigation

techniquesinSAC025SSACAdvisoryonFastFluxHostingandDNS.

TheinternetecosystemshouldencourageICANN,registries,andregistrarstoconsider

andadoptthefastfluxmitigationtechniquesintheSSACadvisory.

• Adaptandapplymachinelearningtothedetectionofbotnets.

Theinternetecosystemshouldmoveawayfrommanuallyreverseengineeringbotnet

domaingenerationalgorithmsandbeginapplyingmachinelearningtoautomatethereal-timedetectionofbotnetsusingfastflux,encryption,andothertechniquestomask

theirinfrastructure.

EndpointPrevention

• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards.

Multipleindustry-ledeffortsareunderwaytodevelopsecuritystandardsforIoTdevices.IoTdevicemanufacturesandIoTserviceprovidersshouldworktoensureallIoTdevices

adheretotheirrespectiveindustrysecuritystandardsandbestpracticesforIoTsecurity.

• Ensureend-pointsarerunningup-to-datesoftware.

Asthesayinggoes“anounceofpreventionisworthapoundofcure.”Thisappliestoconsumer/customerend-pointsaswell.Ensuringthatallend-points(desktops,mobile,

IoT,etc.)arerunningup-to-datesoftwarewiththelatestsecuritypatchesandupdates


31

willhelptremendouslyinreducingthenumberofinfectedandcompromisedend-points

ontheinternet.

• IoTdevicesshouldusenetworkisolationand/ornetwork-basedfilteringtechniquesforanycommunicationstocloud-basedservices.

Networkisolationand/ornetworkbasedfilteringareproventechniquesforreducing

theabilityofarogueinternetend-pointfromdoingharm.60IoTdevicemanufacturers

andIoTserviceprovidersshoulddesigntheirproductsandservicestomakeuseofthese

techniques.

Conclusion

Cybersecurityisasharedresponsibility.Securingtheinternetfromthreatsfrombotnetsrequiresthecollaborationandcooperationofallmembersoftheinternetecosystem,both

domesticallyandinternationally.Thepreliminaryrecommendationsinthispaperrepresentjust

someofthemanywaysthatbotnetthreatsandtheircapacityforharmcanbereducedthrough

broadengagementbythestakeholders.

AbouttheAuthors

MattTooleyistheVicePresidentofBroadbandTechnologyatNCTA–TheInternetand

TelevisionAssociation.HeisamemberoftheCommunicationsSectorCoordinatingCouncil’s

ExecutiveCommittee.Tooleyhasover30yearsofexperienceinthebroadbandindustryin

developinganddeployingbroadbandtechnologyforinternetserviceproviders.

ThispaperincludeskeycontributionsfromAT&T,CenturyLinkandCoxCommunications.

60BITAG,InternetofThings(IoT)SecurityandPrivacyRecommendations(Nov.2016)atSec.6(discussing“Apossibleroleforin-homenetworktechnology”),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).


i

AppendixA-CyberThreatReports

Top10WorstBotnetCountries

Rank Country NumberofBots

1 China 1,375,637

2 India 958,814

3 RussianFederation 569,463

4 Brazil 429,942

5 Vietnam 380,639

6 Iran,IslamicRepublicOf 242,909

7 Argentina 177,701

8 Thailand 173,027

9 Mexico 145,516

10 C?* 141,684

Source:SpamhausasofJune29,2017.https://www.spamhaus.org/statistics/botnet-cc/

*Spamhausreportsthetenthcountryonthislistas“C?.”


ii

Top10BotnetTrafficAttackingCountries

Rank Country PercentageofAttackTraffic

1 China 50.8%

2 SouthKorea 10.8%

3 UnitedStates 7.2%

4 Egypt 3.2%

5 HongKong 3.2%

6 Vietnam 2.6%

7 Taiwan 2.4%

8 Thailand 1.6%

9 UnitedKingdom 1.5%

10 Turkey 1.4%

Source:IncapsulaGlobalDDoSThreatLandscapeQ12017.https://www.incapsula.com/ddos-report/ddos-report-q1-2017.html


iii

TopCountriesby%ofCountries’IPAddressesParticipatinginDDoSAttacks,Q1-Q4201661

Q12016 Q22016 Q32016 Q42016

Country %ofCountriesIPAddresses




SourceIPs SourceIPs SourceIPs SourceIPs

Turkey0.282%

Vietnam0.130%

U.K.0.036%

Russia0.078%

43,400 20,244 44,460 33,211

Brazil0.075%

China0.093%

Brazil0.025%

U.K.0.059%

36,472 306,627 81,276 72,949

China0.035%

Taiwan0.081%

China0.025%

Germany0.042%

115,478 28,546 81,276 49,408

SouthKorea

0.028%Canada

0.026%France

0.025%China

0.014%

31,692 20,601 23,980 46,783

U.S.0.005%

U.S.0.006%

U.S.0.004%

U.S.0.012%

72,598 95,004 59,350 180,652

Sources:

Akamai’sStateoftheInternetSecurityQ42016report.https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf

Wikipedia contributors, "List of countries by IPv4 address allocation," Wikipedia, The Free Encyclopedia,https://en.wikipedia.org/w/index.php?title=List_of_countries_by_IPv4_address_allocation&oldid=776891748 (accessed July 17, 2017).

61ThenumberofsourceIPsparticipatinginDDoSattacksisfromtheAkamaiStateofInternetSecurityReportQ42016report.Thedatahasbeennormalizedforthepercentofacountries’assignedIPv4addressesfromIANAdataatthetimeofthewritingofthispaper.ThepercentagesmayvarysomefromthetimeoftheAkamaireport.


iv

AppendixB–ThreatsfromBotnets

ClickFraud

Websitesareoftenpaidforbyadvertisers.Advertiserspaybythenumberof“clicks”orvisitsto

theadvertiser’swebsite.Ifawebsiteoradvertisingbrokerisabletogenerateaperceptionthatmanypeoplearevisitinganad,itcompelstheadvertisertopayforeachofthosevisits.One

waytogeneratelotsofclicksistocommandabotnettogeneratethosevisits.

Emailspam,phishingemail,ormalwareemail

Botnetsareoftenusedtooriginateunsolicitedbulkemail,whichmayalsoincludedistributionof

malwareofvarioustypessuchasransomware,linkstophishingsites,andmalwareassociated

withbots.Botnetscanalsobeusedtosendmoremundaneunsolicitedsalespropaganda.

UnauthorizedNetworkGateway

Botswithinaprotectednetworkboundarysuchasanenterprisenetworkcanbecome

unauthorizedgatewaysintotheprotectedboundary,andcanbeusedtogainaccesstootherresources(dataorcomputers)withintheprotectedboundary(akalateralmovement).

DataTheft

Botscanstealdatafrominfecteddevicesthroughmeanssuchasnetworkmonitoring,key

logging,orscrapingdatafrommemoryordisk.Thisisfrequentlyaccomplishedbecausemany

botmemberssitwithinprivateandenterprisenetworksnexttoassetscontainingthevaluable

data.Agreatamountofdatathefttodayisaccomplishedwith“SpearPhishing”62attackswherevalidlookingemailsaresenttoapersonatacompanyandthatemailisusedtostealintellectual

propertyorbankinginformation,ortohostmalware.Atypicalattackmayconsistofthe“bad

guy”sendinganemailtoanadministrativeassistantorotherlowerlevelemployeethatlooks

likeitcamefromaseniorexecutive,wherebythe“executive”isaskingfortheemailrecipienttoresetapasswordbecausean“invoiceneedstobepaid”today.Therecipientwillresetthe

62FederalBureauofInvestigation(FBI),SpearPhishers(Apr.1,2009),availableathttps://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109(accessedJuly17,2017).


v

passwordusingobfuscatedlinkscontainingmalwareintheemail.Thisallowstheinfectionto

beginandtheinstallationofAPT(AdvancedPersistentThreat)softwareconductsillegal

activities.

IllicitContentDistribution

Botsaresometimesconnectedtopeer-to-peerfilesharingnetworkstohelpstoreanddistributeillegalcontent.

Bruteforcepasswordguessing

Botnetsareusedforbruteforcepasswordguessing.Onemethoduseshighspeedpasswordguessingattemptsusingarandompasswordalgorithm,apassworddictionaryorapredefined

passwordlist.First,bruteforcingcanbeusedbyanindividualbotmemberasarecruitment

methodtoinfectotherdevicesbyscanningforanyassetswithaknownopenexposedportandthenimplementingoneofthebruteforcemethodsexplainedto“guess”thepassword.Second,

itcanbeusedbyabotorbotnettobruteforceanintendedtargetslogincredentialstogain

accesstotheprivilegeordatathecredentialprovides.

ProcessingTheft(e.g.,Bitcoinmining)

Duetothenumberofbotmemberstypicallyseeninbotnets,andtherisingpriceofcrypto

currency(e.g.Bitcoin),botnetsareveryfrequentlyseenbeingusedto“mine”forcoins.TheprocessforminingBitcoinsrequiresthesolvingofverycomplexmathequationswhichwhen

solved,awardtheminerasetnumberofcoins.Inordertobesuccessful,aminerneedsa

tremendousamountofcomputingpowertosolvetheseequationsintheleastamountoftime.

Thisiswhereabotnetcanbeextremelyuseful.Byharnessingthecomputingpowerofalargernumberofbotsand“commanding”thosebotstoactasminers,thebotnetownercanusethe

combinedprocessingofmanybotstomakeBitcoinminingverylucrative.

Botnetshavealsobeenusedtoharnessthecomputingpoweroftheinfecteddevicesinorderto

performBitcoinminingorotheractivitiesforthebenefitofthemaliciousactorsrunningthebotnetandnotthelegitimateownersofthecomputingresources.


vi

Glossary

AIS–AutomatedIndicatorSharing,TheDepartmentofHomelandSecurity(DHS)operatesafreeservicefortheexchangeofcyberthreatindicators.

Bot–Aprogramthatisinstalledonasysteminordertoenablethatsystemtoautomatically(or

semi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).

Botnet–Anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbotmalware,whichareremotelycontrolledbythirdpartiesfornefariouspurposes

Command&Control(C&C)–Aremotecomputerusedtocoordinatetheactionsofbots.

CTI–CyberThreatIndicatoristheinformationthatisnecessarytodescribeoridentifyan

attributeofacybersecuritythreat.

DDoS–DistributedDenialofServiceattackisanattempttomakeanonlineserviceunavailablebyoverwhelmingitwithtrafficfrommultiplesources.

DNS–DomainNameSystemisthehierarchicaldecentralizednamingsystemforresources

connectedtotheinternet.

DNSWaterTorture–Anattacktypewheremanyend-pointssendqueriesforavictim’sdomain

witharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.

DOTS–DDoSOpenThreatSignalingisamethodbywhichadeviceorapplicationparticipatingin

DDoSmitigationmaysignalinformationrelatedtocurrentthreathandlingtootherdevicesorapplications.

ICANN–InternetCorporationforAssignedNamesandNumbersisthenonprofitorganization

responsibleforcoordinatingthemaintenanceandprocedurestheinternet’snamespace.


vii

IRC-InternetRelayChatisaninternetprotocolthatfacilitatescommunicatingintextusinga

client/serverarchitecture.

IoT-InternetofThingsistheumbrellatermtoreferencethetechnologicaldevelopmentin

whichagreatlyincreasingnumberofdevicesareconnectedtooneanotherand/ortothe

Internet.

IPv4–InternetProtocolversion4isthefourthversionoftheInternetProtocol(IP).IPv4isone

ofthecoreprotocolsandstillroutesmostInternettraffictoday.

IPv6–InternetProtocolversion6isthesixthversionoftheInternetProtocol(IP).IPv6isthe

mostrecentversionandwasdevelopedtoaddresstheanticipatedproblemofIPv4address

exhaustion.IPv6isintendedtoreplaceIPv4.

KillChain–IdeaputforthbyLockheedMartintodescribethephasesofatargetedcyber-attack:

1)reconnaissance,2)weaponization,3)delivery,4)exploit,5)installation,6)command&

control,and7)actions.

NAT–NetworkAddressTranslationisamethodforremappingoneIPaddressspaceinto

anotherbymodifyingtheaddressintheIPpacketheaderstoallowmultipleend-pointstoshare

oneaddresswhiletheytransitanetworkrouter.

NetworkServiceProvider–Anetworkserviceprovideroroperatorisanyenterprisethatis

operatinganetworkthathasanassignedautonomoussystemnumber(ASN).

Peering–Peeringisthevoluntaryinterconnectionoftwoseparatednetworksforthepurposeof

exchangingtrafficbetweenusersoneachnetwork.

Peer-to-Peer(P2P)–TraditionallybotnetsclientscommunicatetoaC&Cserverforcommands.P2PbotnetsoperatewithoutaC&Cserverwhereeachbotisbothaclientandaserver.

SoftwareDefinedNetworking(SDN)–Anapproachtocomputernetworkingthatallowsforthe

programmaticcontrolofnetworkbehaviorusingopeninterfacesanddecouplingthepacketforwardingplanefromthecontrolplanetoallowfortheuseofstandardserversandEthernet

switchestoprovidetheroutingfunctioninsteadofspecializedrouters.


viii

SSAC–TheSecurityandStabilityAdvisoryCommitteeadvisestheICANNcommunityandBoard

onmattersrelatingtosecurityandintegrityoftheinternet’snamingandaddressallocationsystems.

Tarpit–Atarpitiscomputerthatpurposelydelaysincomingconnections.Itisadefensive

measuretomakespammingandnetworkscanningslower.Itisanalogoustoatarpitinwhich

animalscangetboggeddownandslowlysinkunderthesurface.

Transit–Internettransitistheserviceofallowingnetworktrafficto“transit”anetworktoreach

anothernetwork.SmallnetworkoperatorsandenterprisesbuyInternettransittogainaccess

theInternet.

CSCC Technical White Paper Final v6 July 17 2017

Documents

Transcript of CSCC Technical White Paper Final v6 July 17 2017